Principles for Software Assurance Assessment A Framework for Examining the Secure Development Processes of Commercial Technology Providers PRIMARY AUTHORS: Shaun Gilmore, Senior Security Program Manager, Trustworthy Computing, Microsoft Corporation Reeny Sondhi, Senior Director, Product Security Engineering, EMC Corporation Stacy Simpson, Director, SAFECode © 2015 SAFECode – All Rights Reserved. Principles for Software Assurance Assessment Table of Contents Foreword ��������������������������������������������������������������������������������������������������������������������������������� 3 Methodology �������������������������������������������������������������������������������������������������������������������������� 3 Problem Statement ���������������������������������������������������������������������������������������������������������������� 4 Framework Overview ������������������������������������������������������������������������������������������������������������� 5 Guiding Principles for Software Security Assessment ����������������������������������������������������������������������6 The SAFECode Supplier Software Assurance Assessment Framework ������������������������������ 7 What Are Your Risk Management Requirements? ����������������������������������������������������������������������������7 The Tier Three Assessment �����������������������������������������������������������������������������������������������������������������8 The Tier One and Tier Two Assessments ���������������������������������������������������������������������������������������������8 Secure Development and Integration Practices ��������������������������������������������������������������������������������������������������� 9 Product Security Governance�������������������������������������������������������������������������������������������������������������������������������������� 9 Vulnerability Response Process ��������������������������������������������������������������������������������������������������������������������������������10 Examples of Tier Two Process Assessments����������������������������������������������������������������������������������������������������������10 Assessment Methodology�����������������������������������������������������������������������������������������������������������������10 Product Adherence to the Process ��������������������������������������������������������������������������������������������������������������������������11 Summary and Future Directions �����������������������������������������������������������������������������������������11 Appendix A: Sample Questionnaire for a Process-Based Assessment: Boeing ���������������12 Appendix B: Sample Questionnaire for a Process-Based Assessment: FS-ISAC �������������14 2 © 2015 SAFECode – All Rights Reserved. Principles for Software Assurance Assessment Foreword Software assurance encompasses the development Customers increasingly ask questions about the software assurance practices of their and implementation of suppliers and how they can be confident in the security of the software these suppliers methods and processes produce� The answers to these questions help customers select and purchase more secure for ensuring that software technology products; they also further enable them to better assess their technology functions as intended, suppliers and manage their broader information technology risk� This has led to a number of recent efforts in industry and government to define a path forward for assessing the security while mitigating the risks of of commercial technology products� vulnerabilities and malicious code that could bring harm to Many of these efforts have provided useful points of reference for customers seeking to the end user� understand and assess software security� However, these initiatives take many different forms – from emerging global standards, to ad hoc program efforts by industry and government groups, to published perspectives from security vendors and other interested parties� While all of these initiatives bring value to the overall software security landscape, and to the specific organizations that they may serve, their varying approaches and claims can create challenges for those seeking to select the most effective assessment approach for their organizations� Not only are there negative implications of poorly formed security evaluations for technology providers, there are also less recognized, but significant, drawbacks for customers that base their procurement decision-making around an incomplete or misleading assessment� This paper provides a framework for examining the secure development process of commercial technology providers� It is designed to help readers select the most appropriate assessment method for their needs, and provides guidance to help them develop a process- based assessment for use in cases when an appropriate international standard does not apply� Methodology As with other SAFECode work, this paper is grounded in an analysis of what SAFECode member organizations actually see and do in their day-to-day software assurance efforts� We reviewed with our members the types of security documentation they provide to customers, the questions and documentation most often requested by customers, their experiences with current standards and evaluation methods, and their assessments of the impact of customer security reviews on their internal secure development processes� To broaden our perspective, we also reached out to a number of representatives of prominent enterprises with experience in managing the security of acquired software� Through informal conversations and more formal outreach, we gathered feedback on their biggest challenges in dealing with software suppliers, what is most helpful to their risk assessment process, and their requirements for effective security assessment� The assessment framework put forth in this paper was developed based on this year-long effort� In this way, we hope to present a framework that is effective, practical, and spans a diverse and global set of customer and supplier needs 3 © 2015 SAFECode – All Rights Reserved. Principles for Software Assurance Assessment Problem Statement SAFECode believes software assurance assessment efforts All customers have software assurance concerns, and all customers want confidence that should focus on supporting commercial software is secure and reliable� When acquiring software, customers have a the development and primary concern that they may be introducing new vulnerabilities into their IT environments� Software vulnerabilities can compromise customer data, disrupt business services, and acceptance of international jeopardize trust� Therefore, customers require that software be developed in a way that standards� Examples of minimizes the number of vulnerabilities, and customers expect suppliers to have appropriate relevant standards include: update mechanisms for use when vulnerabilities emerge� This is only achieved when ISO/IEC 27034-1:2011 software is created and sustained using best practices for a secure software development lifecycle� Information technology – Security techniques – To gain the necessary confidence in acquired software, customers need a method for Application security is an assessing the security of the software, including the impact the software may have on the international standard for organization’s risk posture� A process-based assessment of a supplier’s software assurance secure development processes� practices can deliver this confidence, empowering customers to better manage risk� Additional parts, covering The highest degree of confidence is achieved when a supplier conforms to international other related areas, are under standards for software assurance and secure development� Conformance to international development� standards indicates a more formal commitment by the supplier to software assurance, and to a well-structured and governed approach to integrating security into the software IEC/ISA-62443 is a standard development lifecycle� However, historically we have lacked a broadly accepted industry for industrial automation standard for software assurance and secure development that performs a role similar to and control systems� In that of ISO 9000 for quality� Common Criteria [ISO 15408] is a widely used mechanism for particular, part 4-1 of this evaluating security capabilities in commercial IT products� However, it primarily focuses on standard addresses product product security features, not on the security development process� development� Recently, there have been positive developments on the standardization front, and new standards that focus on secure development processes are emerging� IEC/ISA-624431 is a standard for industrial automation and control systems that has become more broadly adopted� It addresses Security Development Lifecycle Assurance (SDLA) processes for products and software applications integrated in an industrial automation and control system� Also, the FDA has accepted IEC/ISA-62443 as a consensus standard for medical devices� In addition, ISO/IEC 27034 is an international standard for specifying secure development lifecycle processes� Part 12 of the standard is published, and provides an overview of a mature security development process� Additional sections, including a validation framework, are currently under development� Even with this progress, however, we recognize that these standards are not widely adopted� While